Closed Bug 851416 Opened 13 years ago Closed 13 years ago

Use-after-free with SVG and privacy.sanitize.sanitizeOnShutdown

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 + fixed
firefox23 --- disabled
firefox-esr17 --- unaffected
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected

People

(Reporter: jruderman, Assigned: seth)

References

Details

(5 keywords, Whiteboard: [adv-main22-])

Attachments

(4 files)

testcase (see comment 0)
284 bytes, text/html
Details
stack (gdb)
3.00 KB, text/plain
Details
stack (ASan)
1.85 KB, text/plain
Details
Ensure SVGRootRenderingObserver always gets added back to the rendering observer list.
1.63 KB, patch
dholbert
: review+
Details | Diff | Splinter Review
1. Create a new profile 2. Set: user_pref("privacy.sanitize.sanitizeOnShutdown", true); 3. Download the testcase as q4-a.html 4. Fix the path in the testcase. 5. Run firefox -profile ~/pxa/ q4-a.html 6. Quit Firefox Result: Crash [@ nsNodeUtils::ParentChainChanged] or Crash [@ nsNodeUtils::LastRelease]
Attached file stack (gdb)
Attached file stack (ASan)
Might be webidl changes. If this is a regression then a regression range would likely be useful.
The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/1cf12e699dc7 user: Seth Fowler date: Thu Feb 28 12:02:31 2013 -0800 summary: Bug 846028 - Coalesce invalidations in VectorImage. r=dholbert
Blocks: 846028
Keywords: regression
I'll take a look at this.
Assignee: nobody → seth
So bug 846028 causes SVGRootRenderingObserver to stay out of the rendering observer list for the SVG root element it's watching from the time when some initial invalidation happens until the time when VectorImage::Draw is called. Unfortunately this test case shows that this can cause it to miss important messages - in particular it misses a call to nsSVGRenderingObserver::NotifyEvictedFromRenderingObserverList, which (logically enough) is only called if you're in the rendering observer list, but also has the effect of removing you from the _mutation_ observer list. SVGrootRenderingObserver thus isn't removed from the mutation observer list at the right time in certain circumstances, leading to the crash. Perhaps this behavior should not cause a crash, and if not we can fix the API design in a separate bug, but for this bug I think reimplementing bug 846028 in a way that's safer with the current API is the right way to go. Patch shortly.
Here's the fix. We ensure that SVGRootRenderingObserver always gets added back to the rendering observer list, one way or another. If we send an invalidation, VectorImage::Draw will take care of it as before. The new thing is that if we _don't_ send an invalidation, we go ahead and add ourselves back right there in SVGRootRenderingObserver::DoUpdate. With this patch applied I can't reproduce the testcase crash anymore.
Attachment #726375 - Flags: review?(dholbert)
Attachment #726375 - Flags: review?(dholbert) → review+
Thanks for the super fast review, Daniel! Fortunately, this doesn't affect anything but nightly AFAICT. Will push in if things look good on try.
> user_pref("privacy.sanitize.sanitizeOnShutdown", true); Looking at the patch, I'm guessing this bug can occur also without that pref? Just that it make crashing more reliable? > Crash [@ nsNodeUtils::ParentChainChanged] or > Crash [@ nsNodeUtils::LastRelease] I'll assume the worst and flag as csec-uaf unless someone thinks otherwise.
status-b2g18: --- → unaffected
status-b2g18-v1.0.0: --- → unaffected
status-b2g18-v1.0.1: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → unaffected
status-firefox22: --- → affected
status-firefox-esr17: --- → unaffected
Keywords: csec-uaf, sec-critical
OS: Mac OS X → All
Hardware: x86_64 → All
Seth, it looks like this is ready to land; or did you find some problem?
Flags: needinfo?(seth)
Mats, yeah, I think it's pretty likely that this bug could occur without the pref. And indeed, try looks OK and it's ready to land. I'll push it in now.
Flags: needinfo?(seth)
Sorry it took so long to actually push; inbound was closed earlier. https://hg.mozilla.org/integration/mozilla-inbound/rev/e152c2763cad
tracking-firefox22: + → ---
Hmm, and I reset that flag. I don't understand why that happens. It's not like this was a mid-air collision.... Sorry, but I don't appear to have the permissions to fix it.
All us mere mortals can do is request it, and then those with god-like powers can +/- it. ;-)
tracking-firefox21: --- → ?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #15) > All us mere mortals can do is request it, and then those with god-like > powers can +/- it. ;-) I guess you meant to nominate for tracking-firefox22 here, so going ahead and setting the right flags here
(In reply to bhavana bajaj [:bajaj] from comment #16) > I guess you meant to nominate for tracking-firefox22 here, so going ahead > and setting the right flags here Gah, was late at night for me, sorry. Thanks for doing the right thing there. :)
https://hg.mozilla.org/mozilla-central/rev/e152c2763cad
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox22: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Flags: in-testsuite?
Blocks: 883416
Whiteboard: [adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: